FCA solicits removal of 90-day Open Banking reauthorisation
The current FCA consultation paper on payment services and Electric money proposes to exempt fintechs from the 90-day reauthorisation requirement of using Open Banking data. The decision could have big consequences for the future of Open Banking.
Replies (19)
Please login or register to join the discussion.
"The report adds that the 90-day rule has led to a significant loss of customers when the reauthentication becomes required."
This suggests that the 90 day rule is a good thing if it encourages users to periodically re-appraise the value of the service. If they are choosing not to continue that seems to be a positive decision for their business, based on their experience of this facility.
Thank goodness for that, one of our biggest headaches, it takes long enough to get a client to sign up in the first place, totally agree that the 90 day thing means many fall off when they do not want to but just cant be bothered - bring it on
For a tech savvy end user the 90 day rule is a minor irritation but a disruption to the use of bank feeds, for example, in accounts software. For those not tech savvy, particularly for accountants doing bookkeeping on behalf of these clients it's a major headache and one that this proposed change will definitely assist.
The major issue with openbanking authorisations is the vast majority of banks don't present these clearly in their apps/online so it can be a real pain to see what/who you've connected to and disable these connections if no longer of value. Couple that with non-tech savvy users who may rarely or infrequently log into apps/online banking and there is a small risk that these users could be targeted by those with nefarious intentions.
There are other safeguards in place though but as openbanking payments become more prevalent this is an area where cause for concern could lie.
With the opportunity to tie real time bank data, with near real time cloud accounting data, I can see a move to near realtime auditing getting closer particularly if e-invoicing starts to creep into the mainstream in the UK.
About time as far as accounting is concerned. It completely defeats the point and benefits of automated feeds into accounts software.
I would be interested to know what percentage of the public actually asked for this in the first place and why there isn't the option for users to opt out of the 90 day re-authentication. It is a real pain to get clients to keep re-authenticating and 100% of my clients would be happy to opt out of the process.
It's a bit like getting letters for bank charges - I constantly get letters from my banks telling me I have paid Nil or under £10 of bank charges, normally comprising an envelope and several sheets of paper - a cost to the bank, and ultimately bank customers and bad for the environment. I don't care and would like to opt out, but the banks say I cannot - absolutely ludicrous.
Glad to here this. I believe Xero are making 2 step authentication mandatory. This being the case, getting the client to set up/ go through 2 step authentication and reauthorise every 90 days will be a nightmare. I must cumulatively waste hours if not days every year hand holding clients hands as they reauthorise.
Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.
Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.
Regulation is put in place for a purpose - building regs come to mind. The FCA should tread carefully or it could open up "endless possibilities" for fraud.
If you can explain what purpose the 90 day rule for refreshing bank feeds to software serves, I'm sure we would all be interested to hear it.
Access to the accounting software is restricted, so the information is not being released to all and sundry. Also it only allows those with access to the accounting software the ability to see historical transactions, not create new ones. I, and many others it seems, just cannot see what security issue the 90 day rule is addressing.
The 90 day rule was put in place to both encourage competition and for end-user security. By having to reconnect you're naturally given the opportunity to consider if the connection has some value to you whilst on the flip side for a thing such as a bank feed to Xero etc it's a pain and inconvenience. I suspect one that wasn't considered when the rules were being written, particularly as this was being done 5 or 6 years ago when cloud accounting was still in its relative infancy in the UK and further behind in the EU where this originated.
Openbanking regulation's intent is to foster competition for consumers and SME's and one of the things cited was the relative inertia of bank switching, and dominance of the high street banks of these markets, so you can understand the intentions of trying to make consumers and businesses think twice about these connections.
The 90 day rule was put in place to both encourage competition and for end-user security.
This is a largely meaningless phrase that does not really explain the benefit to the consumer.
Encourage competition - Makes the user consider whether they want to continue to use Xero or the bank they are with? Some people do review both these things regularly, but most want to get on with running their business.
End-user security - It is likely that the software is secure anyway (at least by a password and often by two-factor authentication as well). Even if it isn't, without the bank feed the user just uploads the same information on a semi-regular basis. They still need to keep their accounting records up to date (legally required to for companies) so the information will still be there. At most there is a delay in it arriving, but it is no more secure.
"The benefits of open banking have long been heralded as transformational for consumers and businesses with the technology opening the floodgates to a wave of new financial products.
Open banking allows third-parties to access the financial information your bank holds securely and with your consent.
The ‘opening up’ of financial information, in turn, creates a endless possibilities for financial technology firms to produce services that rely on the information your bank holds."
So what benefits accrue to the bank account-holder? And what protections are they afforded?
Is it a bit like the push for 'smart' utility meters ... where the only immediate benefits are for the service suppliers, with the possibility of longer-term benefits for those running the infrastructure?
The benefits for consumers and businesses are there if you're willing to look for them...
No more insecure bank feeds through 3rd parties and no more paid for secure bank feeds either.
Access to bank account services for those consumers typically excluded
Lower cost cross border payments
Lower cost payment services
Integrated payment solutions
Low fee investment services allowing the poorest in society to save what they can without unnecessary erosion of said investments and allow them to diversify investments in a way that traditionally only those with decent sums of disposable income could do so
I could go on
Typically excluded consumers are those without any connections or without any equipment. They also include those without any banking service at all. We should worry about them too.
This need to get clients to re authenticate every 90 is regarded by clients as us making a bloody nuisance of ourselves and entails them having to do the same job over and over again. It is universally regarded as an irritant and needs to be addressed
Businesses and consumers should be allowed to exercise their own discretion and opt out if they want to. I imagine 80-90% (probably 100% of my clients) would happily do so if given the choice. It just adds more administration and costs for most of our clients to have to re-approve every 90 days, with no discernible benefit.
If policy makers really wanted to encourage competition they would insist that data was freely, fully and easily transferable from one platform to another e.g. Xero to QBO, Iris to Digita, etc, instead of tinkering around the edges.